## **Special Feature**

# **Overview of RENA-CHIP Functions**

### Shuichi Chaki<sup>†</sup>

#### Abstract

This article gives an overview of the functions of the RENA-CHIP, which is a device for configuring network adapters and makes possible network adapters that provide high-speed, high-volume, and high-ly secure IP (Internet protocol) communication with QoS (quality-of-service) control at a low price.

#### 1. Introduction

An IP (Internet protocol) network generally requires a device with an IP network terminating function at each connection point and boundary point, as shown in **Fig. 1**. Such devices are assumed to be used by both home and business users as equipment for connecting to future IP network services having higher speeds and more advanced functions than current ones. We call such a device a network adapter. It is also known as a home gateway, a residential gateway, or customer premises equipment.





#### 2. Required functions of the network adapter

In addition to serving as an IP router, the network adapter needs a QoS (quality-of-service) control function and a filtering function. The QoS control function ensures that telephony and other kinds of realtime communication, media streaming, and other such broadband communication as well as the data communication conventionally implemented on the Internet can be performed at an appropriate quality, considering the end-to-end service. For example, it prevents any degradation in quality for an IP telephone service that starts while a large volume of data is being sent or received. The filtering function protects the network by discarding invalid packets at boundary points, thus serving as a firewall. It can protect servers and information appliances connected to the IP network from denial-of-service (DoS) attack

Access lines are expected to move steadily toward compatibility with Gigabit Ethernet (1000BASE-T GbE) optical network units (ONUs) in the future, and the throughput of the network adapter will eventually need to match the GbE wire rate, i.e., to be about 1 Gbit/s. However, using conventional equipment (e.g., a router) with such a high performance would make the network adapter expensive. NTT has developed the RENA-CHIP to provide a high-performance network adapter at a low price [1].

<sup>†</sup> NTT Cyber Solutions Laboratories Yokosuka-shi, 239-0847 Japan E-mail: chaki.shuichi@lab.ntt.co.jp

by invalid packets from the outside and can prevent unauthorized access to the data they hold. This function must have fast processing to match the high speeds in the IP network access lines and backbone network.

#### 3. RENA-CHIP

The RENA-CHIP is a large-scale integration (LSI) chip for configuring a network adapter that meets the above requirements. In addition to the IP routing, QoS control, and filtering functions, this chip also implements virtual private network (VPN) processing in hardware. This allows easy configuration of a network adapter for high-speed IP networks.

#### 3.1 Role in a network adapter

The chip's role is illustrated in **Fig. 2**. In the conventional network adapter configuration (Fig. 2(a)), two IP networks—a wide area network (WAN) and a local area network (LAN)—are connected by a central processing unit (CPU). In this case, the required functions are all implemented by the CPU. Thus, the feasibility of high-throughput processing depends on the performance of the CPU itself and on the tuning of the software running on the CPU. This requires technical expertise and a lot of effort from an engineer.

In a network adapter configured with the new chip, on the other hand, communication traffic between the WAN and LAN does not pass through the CPU, but is processed by the new chip (Fig. 2(b)). The CPU only needs to process the few packets that the new chip cannot handle (explained below) and perform setup processing. Therefore, high-throughput communication can be achieved with a less powerful CPU and without software tuning. This allows the development of an inexpensive, high-performance network adapter.

#### 3.2 Features

The chip has three main features.

(1) High-speed packet transfer function implemented in hardware

Hardware implementation of the following functions allows high throughput packet transmission.

- Searching of the routing table and ARP/NDP table needed to implement the IP router function (ARP: address resolution protocol; NDP: neighbor discovery protocol)
- Searching of the NAT/NAPT table and rewriting of the packet header according to the results, which is required for Internet access (NAT: network address translation; NAPT: network address port translation)
- Classification of packets by inspection of packet header data for the preset conditions used for filtering and QoS control
- Priority control, shaping, and queuing to perform QoS control according to the classification results
- Packet encapsulation for implementing VPN (for IPsec ESP (encapsulating security payload) tunnel mode and PPPoE (point to point protocol over Ethernet)).
- (2) IPv4/IPv6 dual stack

The above packet forwarding features apply to IPv6 as well as to IPv4.

(3) Cooperation with software

The processing of control packets to create the ARP and routing tables or a VPN, for example, is very difficult to implement in hardware. In addition, packets addressed to the network adapter itself (such as when the user changes the adapter's settings) must also be offloaded from the chip to an application program.



Fig. 2. Network adapter configurations.

| Function                                                            |                    | RENA-CHIP                                       | CPU                                                                               | Other                                                      |  |
|---------------------------------------------------------------------|--------------------|-------------------------------------------------|-----------------------------------------------------------------------------------|------------------------------------------------------------|--|
| Application program                                                 |                    | -                                               | HTTP, SIP, etc.                                                                   |                                                            |  |
| L4                                                                  | TCP                | NAT/NAPT processing                             | Flow tracking (for SPI)                                                           |                                                            |  |
|                                                                     | UDP                | NAT/NAPT processing                             | Flow tracking (for SPI)                                                           |                                                            |  |
|                                                                     | ICMP               | -                                               | Flow tracking (for SPI) and response generation                                   |                                                            |  |
| L3                                                                  |                    | IP frame construction                           | _                                                                                 |                                                            |  |
|                                                                     | ARP/NDP<br>routing | Routing table search                            | Routing table construction                                                        |                                                            |  |
|                                                                     | NAT/NAPT           | NAT/NAPT table search                           | NAT/NAPT table construction                                                       |                                                            |  |
|                                                                     | IPsec              | ESP tunnel mode encapsulation and decapsulation | Key exchange and SA generation                                                    |                                                            |  |
| L2                                                                  |                    | MAC                                             | _                                                                                 |                                                            |  |
|                                                                     |                    | VLAN frame construction                         | -                                                                                 |                                                            |  |
|                                                                     |                    | PPPoE and PPP frame construction                | PPPoE discovery stage<br>PPP control (LCP/IPCP negotiation and<br>authentication) |                                                            |  |
| L1 (layer 1)                                                        |                    | -                                               | -                                                                                 | Implemented by a physical layer device                     |  |
| Packet classification and filtering                                 |                    | Packet search<br>Pass, block, mark (DSCP value) | Classification table construction                                                 |                                                            |  |
| QoS control                                                         |                    | Priority control, queuing, and shaping          | Set priority control rules, queue length, and shaping parameters.                 | Implement the packet<br>buffer with external<br>DDR-SDRAM. |  |
| TCP: transmission control protocol SIP: session initiation protocol |                    |                                                 |                                                                                   |                                                            |  |

| Table 1. | Allocation of | processing to | <b>RENA-CHIP</b> | and CPU. |
|----------|---------------|---------------|------------------|----------|
|----------|---------------|---------------|------------------|----------|

UDP: user datagram protocol

ICMP: Internet control message protocol MAC: media access control VLAN: virtual local area network

HTTP: hypertext transfer protocol

SA: security association SPI: stateful packet inspection LCP: link control protocol IPCP: Internet protocol control protocol DSCP: differentiated services code point

The chip can send such packets to a separate CPU for processing, and priority control can also be applied to them. The classes of packets processed by the new chip and by the CPU are listed in **Table 1**.

#### 3.3 Packet processing

**Figure 3** is a block diagram of a network adapter containing a RENA-CHIP, represented by the area enclosed by the broken lines. Besides this chip, the network adapter configuration includes the following components.

- Physical layer controllers (PHY) that provide the physical interfaces to the WAN and LAN
- DDR-SDRAM (double data rate synchronous dynamic random access memory) that serves as the packet buffer for RENA-CHIP processing
- An external CPU and peripheral circuitry for running the software that works in cooperation with the chip

First, packets from the WAN go through a MAC (media access control) unit and arrive at the IPsec (Internet protocol security) unit, which determines

whether or not the packet should undergo IPsec processing. If such processing is necessary, IPsec decapsulation is performed. Next, the packets pass through the memory controller and are stored in the DDR-SDRAM. Their headers are passed to the parser for analysis and the parsing results are sent to the search unit, which performs any processing necessary for packet classification for the filtering or QoS control functions, determines the packet routing (decides which interface the packet should be sent to for output: in this example, the LAN address or CPU address), and appends NAT/NAPT information. According to the classification results, the QoS unit adjusts the sending order and timing of packets. The memory controller then reads the packets from the DDR-SDRAM in the order set by the QoS unit and passes them on to the frame generator. The frame generator also reconstructs packets on the basis of the NAT/NAPT results. Finally, the packets are transmitted to the LAN via a MAC unit and the PHY or layer-2 switch.



Fig. 3. Block diagram of the RENA-CHIP.

#### **3.4** Main specifications and performance

The chip's main specifications are listed in **Table 2**. The packet transmission performance is 3 million packets per second (3 Mp/s), which indicates throughput of 2 Gbit/s (1 Gbit/s in the upward and downward directions simultaneously), regardless of the packet size.

The measured throughput for various packet sizes is plotted in **Fig. 4**, with data for a commercial broadband router given for comparison. The catalog value for the maximum throughput of this commercial broadband router is 800 Mbit/s. This commercial broadband router uses an 833-MHz PowerPC chip as its CPU and its price is about \$4000 (in Japan). Its

| Physical interfaces |                       | 10/100/1000-Mbit/s Ethernet, WAN x1, LAN x1                                                                                                             |  |
|---------------------|-----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| VLAN                |                       | IEEE 802.1Q tagged VLAN; up to 16 VLANs                                                                                                                 |  |
| WAN protocols       | IPsec                 | IPv4/IPv6 over IPv6 ESP (tunnel mode), up to 7 simultaneous sessions <sup>*1</sup> with SHA-1, MD5, AES, anti-replay                                    |  |
|                     | PPPoE                 | Up to 14 simultaneous sessions <sup>*1</sup>                                                                                                            |  |
|                     | IPv4                  | Routing table (up to 256 entries <sup>*2</sup> , source routing enabled)<br>NAT/NAPT table (NAT: 8 entries, NAPT: 256 entries)                          |  |
| L3 transmission     | IPv6                  | Routing table (up to 256 entries <sup>*2</sup> , source routing enabled)                                                                                |  |
| protocor            | Multicast             | For IPv4/IPv6<br>Routing table (up to 256 entries <sup>*2</sup> )                                                                                       |  |
|                     | IPv4/IPv6             | TOS/traffic class control, VLAN p-bit mapping                                                                                                           |  |
| QoS                 | WAN output<br>control | Ten-queue buffer (1024 or fewer frames each, tail drop/WRED) and three 4-input schedulers can be combined with 13 shapers.                              |  |
|                     | LAN output<br>control | Four-queue buffer (1024 or fewer frames each, tail drop/WRED) and two 4-input schedulers can be combined with 6 shapers.                                |  |
| Filter, classifier  | IPv4/IPv6             | Up to 256 entries<br>Source MAC address, VLAN ID, IPsec SA (SPI, etc.), PPPoE session ID,<br>IP address, port number, TOS/traffic class, ICMP type/code |  |
| Packet transmission | performance           | 3 Mp/s<br>(with 256 routing tables entries and 256 filter and/or classifier entries set)                                                                |  |

Table 2. Main specifications of RENA-CHIP.

\*1 The maximum number of tunnels that can be processed simultaneously is 14. IPsec uses two tunnels per session. PPPoE uses one tunnel per session.

\*2 A total of 256 entries for IPv4 unicasting, IPv6 unicasting, IPv4 multicasting, and IPv6 multicasting

TOS: type of service

WRED: weighted random early detection



Fig. 4. Effect of packet size on throughput.



Fig. 5. Effect of attack packets on packet loss.

throughput decreased as the packet size decreased. On the other hand, the RENA-CHIP network adapter maintained a throughput of 1 Gbit/s regardless of the packet size.

The effect of an attack occurring during packet transmission is shown in **Fig. 5**, where the horizontal axis represents the volume of attack packets during a 100-Mbit/s data transmission and the vertical axis represents the packet loss rate. The load on the commercial router increased in response to the attack packets, so packets that should have been transmitted were lost. In contrast, the RENA-CHIP exhibited stable performance regardless of the rate of attack packets because the packet transmission processing is implemented in hardware.

#### 4. Conclusion

The RENA-CHIP enables a high-performance network adapter to be constructed at a low price. We estimate that this chip can be sold for about \$20, which should make a network adapter with a low-performance CPU and a RENA-CHIP very competitive against other network processors of equal performance. With an eye on market needs, we plan to improve its functionality by

- Implementing a hardware flow tracking function for stateful packet inspection to improve the security functions
- Increasing the capacity of the various tables and increasing the number of IPsec and PPPoE sessions to expand the field of applications
- Achieving (IPsec ESP tunnel mode IPv4)-over-IPv4 compatibility for application to Internet VPNs
- Achieving compatibility with many embedded operating systems and with PCI (peripheral component interconnect) for interfacing with external CPUs to allow widespread use of the RENA-CHIP.

#### Reference

 K. Koike, "Technical Trends of Network Processors and the RENA-CHIP," NTT Technical Review, Vol. 4, No. 9, pp. 12-16, 2006 (this issue).



#### Shuichi Chaki

Research Engineer, Promotion Project 1, NTT Cyber Solutions Laboratories.

He received the B.E. and M.E. degrees in knowledge-based information engineering from Toyohashi University of Technology, Aichi, in 1993 and 1995, respectively. He joined NTT Customer Equipment Department in 1995. He took up his present position in 2004 and is currently engaged in the development of telecommunications equipment for the office such as key telephone systems and network adapters for IP network services.